arXiv:1509.01504vl [cs.CR] 4 Sep 2015 


Insecure primitive elements in an ElGamal signature protocol 


Omar Khadir 

Laboratory of Mathematics, Cryptography and Mechanics, Fstm 
University Hassan of Casablanca, Morocco 
e-mail: khadir@hotmail.com 


Abstract 

Consider the classical ElGamal digital signature scheme based on the modular 
relation a™' = [p]. In this work, we prove that if we can compute a natural 

integer i such that a* mod p is smooth and divides p — 1, then it is possible to 
sign any given document without knowing the secret key. Therefore we extend and 
reinforce Bleichenbacher’s attack presented at Eurocrypt’96. 
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1 Introduction 

It was in 1976 that Difhe and Heilman published their famous paper ’’New directions 
in cryptography” [4]. For the first time in communication history, they provided 
us with a mechanism that guarantees the confidentiality of documents and data we 
like to exchange over a public and insecure channel. This event is at the origin of 
the public key cryptography [4,14,13]. Since then, many original cryptographical 
methods were conceived and proposed to solve a variety of communication prob¬ 
lems like identification, authentication, integrity or 0-knowledge proof. However, the 
most important field in public key cryptography is probably the digital signature 
protocol. Its requirement in e-business for funds transferring, makes it a sensitive 
question. Let us recall the principle. For the user Alice we prepare two kind of keys. 
The first, y, is public and must be largely diffused to the other users. The second, x, 
is private and must be kept secret. When Alice decides to sign a document M, she 
has to solve a difficult problem, in general a mathematical equation. This problem 
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is depending of Alice public key y and of the document M. It is constructed in a 
way such that nobody, except Alice, can solve it. With the help of her secret key 
X, Alice is able to give the answer. 

The equation is based on a hard question in mathematics like factorization or dis¬ 
crete logarithm problem. We cannot forge Alice signature, but anyone like a judge 
can verify that the solution she gives is valid. 

Let p be a prime number and a a primitive element modulo p. The discrete 
logarithm problem consists of solving the modular equation = {3 \p], where /3 is 
a fixed integer and x is the unknown variable. In 1978, Pohlig and Heilman [12] 
elaborated an efficient algorithm when p — 1 is H—smooth. In 1985, ElGamal [6] 
proposed a public key cryptosystem and one of the first digital signature protocols 
both based on the discrete logarithm. Nobody knows how he found his difficult 
signature equation. Several variants of the signature scheme were developed [15, 5, 
10 table 11.5 p.457,7,9]. In 1996, Bleichenbacher [2,3] built an attack that relies on 
Pohlig and Heilman algorithm if ElGamal signature parameters are not properly 
chosen. In 1999, Kuwakado and Tanaka [9] proved that, when we use ElGamal 
method to sign two documents, if the secret nonces ki,k 2 are less than the square 
root of the prime modulus p, then we can compute the secret key of the signer and 
break all the system. In 2011, the author slightly extended Bleichenbacher’s attack 
[ 8 ]. 

Let a™' = y’’ r® [p] be the ElGamal classical signature equation. In this work, we 

show that if we can compute a natural integer i such that a* mod p is H—smooth 

and divides p — 1, then it is possible to sign any given document without knowing 

the secret key. As a consequence, we prove that if (p, a, y) is Alice public key, and 

1 1 

if one the four positive integers a, p — a, — mod p or- mod p is B-smooth 

a a 

and divides p — 1, then it is possible to sign any message without knowing Alice 
private key. Therefore we extend and reinforce Bleichenbacher’s attack presented 
at Eurocrypt’96. 

Note also, that our work tends to confirm, what was mentioned by many authors: 
it is certainly easier to break ElGamal signature scheme than to solve the discrete 
logarithm problem. 

Our paper is organized as follows. In section 2 we briefly recall the classical 
ElGamal signature scheme. Section 3 is devoted to the review of Bleichenbacher’s 


2 



attack [2,3]. Our contribution is presented in section 4. We conclude in section 5. 

Throughout this article, we will adopt ElGamal paper notations [5]. Z, N are 
respectively the sets of integers and non-negative integers. For every positive integer 
n, we denote by the finite ring of modular integers and by Z* the multiplicative 
group of its invertible elements. Let a,b,c be three integers. The great common 
divisor of a and b is denoted by gcd{a,b). Two numbers a and b are said to be 
coprime if gcd{a,b) = 1. We write a = b [c] if c divides the difference a — b, and 
a = b mod c if a is the remainder in the division of b by c. The positive integer a 
is said to be B-smooth [10, p.92], B € N, if every prime factor of a is less than or 
equal to the bound B. Generally, parameter B depends of the computer power. 


2 Classical ElGamal signature 

In this section we recall the basic ElGamal signature scheme [6, 16 p.287, 10 p.454, 
11 p.l83]. 

1. Alice chooses three numbers: 

- p, a. large prime integer. 

- a, a primitive element (or a generator) [10, p.69] of the finite multiplica¬ 
tive group Z* 

- X, a random element belonging to the set {2,3, ...,p — 2}. 

Then she computes y = mod p. Alice public keys are {p,a,y), and x is her 
private key. 

2. To sign the message m, Alice needs to solve the equation : 

a™ = b] (1) 

where r, s are the unknown variables. 

Alice fixes arbitrary r to be r = mod p, where k is chosen randomly and invertible 
modulo p — 1. Equation (1) is then equivalent to : 

m = xr + ks \p — 1\ ( 2 ) 

As Alice knows the secret key x, and as the integer k is invertible modulo p—1, she 

T 11 -11 m — xr . 

computes the second unknown variable s: s = - - - \p — 1\ 
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3. Bob can verify the signature by checking that congruence (1) is valid for the 
variables r and s given by Alice. 

To avoid some attacks, instead of signing a message M, it is more secure to apply 
a hash function h, like SHAl [16 p.l37, 10 p. 348], and compute m = h{M) before 
signing the hashed value m. 

3 Bleichenbacher’s attack 

In this part we recall Bleichenbacher’s remarquable attack presented at the Euro- 
crypt’96 conference [2], Here, of course, we use the corrected version [3]. 

Let (p, g, Ha) be Alice public key in an ElGamal signature scheme, and xa his 
private key. 

Theorem 1. [3] let p — 1 = bw where b is smooth and let i/a = {mod p) be 
the public key of user A. If r and k are known such that r = = cw {mod p) with 

0 < c < 6 then it is possible to generate a valide ElGamal signature (r, s) for all h 
with h = XAV {mod gcd{k,p — 1)) can be found. In particular when r is a generator 
of F* then it is possible to generate an ElGamal signature for all h. 

Theorem 1 has an immediate practical consequence ; 

Corollary 1. ([3]) If a is H—smooth and divides p — 1 then it is possible to 

generate a valid ElGamal signature on an arbitrary value h if p = 1 [4] and on one 
half of the values 0 < /i < p if p = 3 [4]. 

when p = 1 [p], we easily derive the following algorithm and we will exploit it in an 
illustrative example of our own attack. 

Algorithm 1. 

1- Input (p, a, y); {a is H—smooth and divides p — 1, p = 1 [4]} 

2- Input m; {m = h{M) where M is the message to be signed.} 

3- k^{p- 3)/2; 

4- r ^mod p; { r is is the first parameter of the digital signature. We also 
have r := (p — l)/a. } 

5- w <— (p — l)/a; 

6- b i — mod p; {b is a generator of a suitable subgroup H}. 

7- B i — mod p; {B is an other element of H}. 
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8 - xo 


x; { X is a solution to the easy discrete logarithm problem = B \p], 


since the Pohlig and Heilman algorithm [12] is efficient. } 

h(M) — rXQ r n r ■ T i r i t • i i 

- [p — IJ; |s IS the second parameter ot the digital signature. | 


9- s 


k 


10- Output (r, s). { The couple (r, s) is the ElGamal digital signature without using 
Alice private key x.} 


In 2011, Corollary 1 was extended by the author to the next more general result: 
Theorem 2. [8] Let (p, a, y) be Alice public key in an ElGamal signature protocol. 
An adversary can forge Alice signature for any given message if one of the following 
conditions is satisfied : 

a) p = 1 [4], a is B-smooth and divides p — 1. 

b) p = 1 [4], — mod p is B-smooth and divides p — 1. 

a 

c) o? is B-smooth and divides p — 1. 


4 Our contribution 

We start this section by describing our main result which is a significant extension 
of Bleichenbacher’s Corollary 1. Throughout this part, for more clarity and without 
loss of generality, we always suppose that the prime modulus p in equivalent to 1 
modulo 4. When p = 3 [4] all our results still valid but only for documents M such 
that the integer m = h{M) has a fixed parity. 

Theorem 3. Let (p, a, y) be Alice public key in an ElGamal signature protocol. 
Suppose that p = 1 [4]. If we can compute a natural integer i, coprime to p — 1, 
such that a* mod p is H—smooth and divides p — 1, then it is possible to generate 
a digitale signature for any given document without knowing Alice private key. 

Proof. Let M be the message that we would like to sign and m = h{M) be its 
hashed value. We must find two unknown integers r and s such that a™' = y’^ [p]. 

Let i be a natural integer coprime to p — 1 such that a* mod p is B—smooth and 
divides p — 1. ElGamal digital signature Equation (1) is equivalent to 

= (3) 

If we set /3 = a* mod p, z = y^ mod p, u = r and v = is mod (p — 1), we obtain the 
new modular equation 

r^z'^u^ip] (4) 
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Since gcd{i,p — 1) = 1, the element /3* mod p is a primitive root. As f3^ mod p = z, 
where x is Alice secret key, the triplet {p, (3, z) can be seen as the public key of an 
imaginary user in an ElGamal signature protocol. We do not need the private key 
X. For any given document M, by Corollary 2, it is possible to solve equation (4) 
and to find the unknown variables u and v. Therefore, we generate a signature by 

V 

giving the couple r = u and s = — mod ip — 1). 

i 

Observe that a trapdoor could be hidden in the generator a by choosing it such 
that a* mod p is B-smooth and divides p — 1, with a large exponent i. 

To illustrate our technique, let us give a numerical example. 

Example 1. Assume that p = 1597, 0 = 11 and y = 159. The secret key x = 856 
is ignored. 

Suppose that we want to sign the message M such that m = h{M) = 1234, where h 
is a hash function like SHAl. Observe, first, that Bleichenbacher’s attack cannot be 
mounted here. On another side, conditions a) and b) in Theorem 2 are not satisfied. 
Let us therefore apply our method. With the help of a computer, we find that the 
smallest positive exponent i such that /3 = a* mod p divides (p — 1) is i = 275. 
As z = y* mod p = 1287, we determine the public key of a Active user {p, j3, z) = 
(1597,38,1287). Obviously /3 is B—smooth. Algorithm 1 gives us the signature 
(tt, v) = (42,1202). As u = r and v = is mod {p — 1), we obtain (r, s) = (42,370). 
So, we have signed the message M such that h{M) = 1234 without using Alice 
private key x. Any verifier can check that the ElGamal modular equation (1) is 
valid. 

Assume that (p, a, y) is Alice public key. In somehow, our result in Theorem 3 
means that, to break the ElGamal digital signature system, it is not needed to have 
p — 1 a multiple of a as it is claimed by Bleichenbacher [2,3], but it suffices to have 
p — 1 a multiple of anyone of the primitive elements modulo p. Next corollary is 
another extension. 

Corollary 2. Let (p, a, y) be Alice public key in an ElGamal signature protocol. 

Suppose that p = 1 [4]. If one among the four positive numbers a, p — a, — mod p 

1 ^ 

or — mod p, is B— smooth and divides p — I, then it is possible to generate a 
a 
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signature for any given document without knowing Alice private key. 

Proof. For a and — mod p apply respectively Corollary 1 and Theorem 2. Let us 
a ^ 

study the two cases corresponding to p — a and- mod p. The even integer p — 1 

a 

can be decomposed as p — 1 = 2^ where k, I are the two easily computable natural 

numbers such that k > 2 and I is odd. Fermat little theorem gives the modular 

relation = 1 \p\. As the order of the primitive element a is p — 1, looking at 

the factorization of — 1 modulo p, we necessary have — 1 [p] which 

implies = —a [p] and = —— [p]. Since gcd{a^'° — 1) = 1; 

a 

the proof is achieved by immediate application of our theorem 3. 

□ 

There is a well known particular situation for the generator choice: ’’Choosing a = 2 
is exceptionally bad” [2,3,1,10 p.456]. We extend the case: 

Corollary 3. Let (p, a, y) be Alice public key in an ElGamal signature protocol. 

Suppose that p = 1 [4]. It is possible to forge Alice digital signature for any given 
message M if we have one of the two conditions: 

i) a = 2. 

ii) Number 2 is a primitive element of the multiplicative group Z* and the positive 
exponent i such that a* = 2 [p] is computable. 

Proof. Similar to the justification of Theorem 3. 

□ 


5 Conclusion 

In this paper, we determined new primitive elements of the multiplicative finite 
group Z*, p prime, for which ElGamal digital signature scheme is no more secure. 
We therefore made an extension of the old and remarquable result presented by 
Bleichenbacher at Eurocrypt’96. 
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